We were improperly creating the IPA self-signed CA during installation.
It lacked a certificate extension marking it as a CA. This causes the
certificates that IPA generates to not work with Firefox 3.5.

I'm working on a fix for this. If someone wants to give it a test that
would be helpful.

There are several steps you need to take on the initial master. If you
have replica's I'll get back to that:

- Apply the patch to certs.py to
(/usr/lib/python*/site-packages/ipaserver/certs.py)

Your new CA is in /etc/dirsrv/slapd-INSTANCE/cacert.p12. You'll want to
back this up somewhere (and probably remove the .p12 file).

This should generate a new CA, issue 2 certificates and put them into
PKCS#12 files, then import them into your instances.

If you have any replicas then do the same steps without the "ipa-ca -g"
step. ipa-ca should always be run on the initial IPA master.

The basic idea is that 'ipa-ca -g' generates a new CA using the certs.py
patch that you applied. Then you create a PKCS#12 file for each of the
two services on each IPA instace. The process of generating a new CA
creates a new DS database so you just have to import the cert you generated.

For Apache we have to remove the database and re-create it, fixing
permissions along the way. Then the cert is imported and the CA trusted.

This works for me with IPA v1.2. I wouldn't recommend doing this on a
production server yet.